Kategorie

Qantas has confirmed that it is now being extorted by threat actors following a cyberattack that potentially exposed the data for 6 million customers. [...]

A previously undocumented spyware called 'Batavia' has been targeting large industrial enterprises in Russia in a phishing email campaign that uses contract-related lures. [...]

Historically, when companies roll out new capabilities, they start out lenient to encourage usage. Take facial biometrics for example. When they first went into use, the initial settings were chosen to make it easier for the biometrics to work. Yes, it meant more imposters would get a green light, but it sharply limited friction for legitimate users. 

Google and many certificate authorities used a similar playbook with web server certificates, allowing them to be used for all kinds of authentication functions instead of just the web server function they were designed for.

That all ends, in theory, on June 15, 2026, according to Google. 

The online post explaining the change is quite technical, but the upshot is that Google is finally trying to put an end to the sometimes sloppy way in which certs are being used.

Earlier this year, various groups debated shortening the expiration time frame of web certs to six weeks, a move that was ultimately made official in April. That move dealt with how long web certs could be used. The new Google effort focuses on what they can (and cannot) be used for.

The decision “marks a critical shift in how digital trust is governed and it has serious implications for enterprises, particularly in financial services,” said Timothy Hollebeek, industry technology strategist for DigiCert. The change “will flag such certificates as misconfigured or non-compliant, leading to significant outages for legitimate applications of this EKU. For organizations still using multipurpose certificates, this is a wake-up call. Financial institutions may no longer rely on certificates intended for browsers and web servers.”

Hollebeek argued that this is the right move, given that “many of these applications need no communication outside of the company network and will therefore be more securely protected on an internal PKI, where the organization can configure certificates as they see fit.”

Erik Avakian, a technical counselor at consulting firm Info-Tech, agreed. “Google is actually doing the right thing,” he said. “This is good because it goes back to the concept of least privilege” where certs are used “only for the intended purpose. It’s about zero trust” when “certificates are separated like this.”

Avakian said most users will do whatever is convenient, unless they’re required to do otherwise. “It helps to be forced to do better security,” he said. “Users want to get things done quickly and easily. It comes down to culture, to costs, to ease.”

Hollebeek said the change comes down to using different certificates for server authentication and client authentication. “Cryptographic separation between domains is a well-known security principle,” he said. “You should only be using Web PKI certs if there is a browser involved.”

Another certificate expert, Jason Soroko, agreed with the others that taking the easy route with certs —rather than correct one — is behind this problem. 

“Client authentication certificates should be coming from a private certificate authority,” said Soroko, who is a senior fellow at Sectigo. “It was just easier to go to some CA [certificate authority] and get your client authentication.”

The Google statement is written in a language the cert community should certainly understand:

“To align all PKI hierarchies included in the Chrome Root Store on the principle of serving only TLS server authentication use cases, the Chrome Root Program will phase-out multi-purpose roots from the Chrome Root Store. Beginning June 15, 2026, the Chrome Root Program will set an SCTNotAfter constraint on root CA certificates included in the Chrome Root Store for any PKI hierarchy found in violation of the below requirements,” Google wrote. “To reduce negative impact to the ecosystem, the Chrome Root Store may temporarily continue to include a multi-purpose root CA certificate in the Chrome Root Store without an SCTNotAfter constraint on a case-by-case basis, but only if the corresponding CA Owner has submitted a Root Inclusion Request to the CCADB for a replacement root CA certificate before June 15, 2026.”

The upshot? If your operation has been using certs in a lazy, lackadaisical manner, you’ve got less than a year to clean things up.

More Google news:

• How Google is integrating Gemini into Workspace
• Google to offer its Workspace suite to the US government at a 71% discount
• Microsoft and Google pursue differing AI agent approaches in M365 and Workspace
  

>

Shellter Project, the vendor of a commercial AV/EDR evasion loader for penetration testing, confirmed that hackers used its Shellter Elite product in attacks after a customer leaked a copy of the software. [...]

Even though threats of additional fines mean it has been forced to make so many changes to bring its business into compliance with Europe’s Digital Markets Act (DMA), Apple has always said it would appeal Europe’s $570 million fine for violating the DMA. Today, it did just that against, accusing the European Commission of going beyond what the law requires.

In a statement provided to Computerworld, Apple said: “Today we filed our appeal because we believe the European Commission’s decision, and their unprecedented fine, go far beyond what the law requires. As our appeal will show, the EC is mandating how we run our store and forcing business terms which are confusing for developers and bad for users. We implemented this to avoid punitive daily fines and will share the facts with the Court.”

Beyond what the law requires

The company has identified multiple instances in which regulators agreed to one thing and then demanded more, effectively dictating and micro-controlling Apple’s business to the detriment of the company and its customers. The company seems to have two strands to its argument:

• The recently introduced tiered service scheme Apple reluctantly brought to market in Europe is one facet. It seems the two sides agreed that Apple could seek compensation for App Store services provided to developers through a Store Services Fee, which Apple announced last year. The regulators then changed their minds, insisting the fee structure include tiers so developers could opt out of some services. This forced Apple to introduce a new model quite recently — even though no other App Store provider offers such services in this way.
• In the days following Apple’s latest changes, I saw complaints about the tiered system Apple put in place. But the company was required to split them this way by the regulators, who dictated which services had to be optional. Given regulators don’t actually make anything, it’s no surprise some of their decisions seem somewhat clumsy. 

Lack of clarity and consistency

Apple is also challenging the “steering” concept the regulators seemingly insist should be applied against its business. Announcing its record fine against Apple, Europe also redefined some of the components to justify the move. 

That meant the European Commission changed its stance to say steering wasn’t just about publicizing offers and promotions on external sites, but also about free promotion of offers and services such as alternative app payments within apps. Apple was also forced to permit links from inside apps to third-party app stores. 

Apple’s claim is that in making these changes, the regulators moved beyond the law, redefining the notion of steering in a way that exceeded what the DMA actually required. 

Win or lose, we’ve already lost

Apple will use its time in court to try to prove these claims, but the action will probably stretch across years — unless Commissioners change their approach or the political intention in the EU and/or US shifts.

While we wait, European customers will be able to enjoy the full benefits of the new arrangements, in the form of sketchy in-app pester advertising to use unregulated third-party payment services, a loyalty war as some big apps attempt to use their own market reach to create their very own app store fiefdoms, slow or no appearance of some operating system features and a less-effective search system for applications. 

It won’t all be good news, as I expect some millionaires with the cash to build and maintain App Stores of their own might carve out a couple of bucks from within this inevitable chaos. If you play games, for example, you’ll gain the pleasure of giving money for existentially inconsequential in-game digital boosts direct to the publisher, rather than via the platform. (This does also mean you’ll only have the games publisher to help you when things go wrong, including when your kids purchase in-game currency when using the app. Good luck with that.)

That’s progress I suppose, a change that will give some users a real sense of freedom from the so-called Apple Tax, and will no doubt give Europe’s current neo-liberal leadership a cozy, fuzzy feeling. Perhaps Commissioners should focus their intention elsewhere.

You can follow me on social media! Join me on BlueSky,  LinkedIn, and Mastodon.

IT consulting firm Capgemini wants to beef up its agentic AI expertise with its planned $3.3 billion acquisition of business process management specialist WNS.

The deal is an indicator of the rapid expansion of the business process services (BPS) market driven by the surging demand for automation powered by agentic AI, said Industry experts and analysts.

“Hybrid automation with agentic AI is a key priority for enterprise decision-makers in the next three years,” said Charlie Dai, vice president and principal analyst at Forrester.

The global business process outsourcing (BPO) market, including BPS, was valued at $300 billion in 2024 according to Grand View Research,  which projects the market will surge to $525 billion in 2030, driven by demand for new technologies such as generative AI.

Capgemini has reached a definitive agreement to acquire WNS, and plans to it into its Global Business Services portfolio when the deal closes some time before the end of the year. It expects the deal to help it serve enterprise clients seeking intelligent automation and digital transformation.

Forrester’s Dai said WNS’s domain-specific AI agents and agentic AI platforms, especially the customer experience tool WNS Expirius, will effectively help Capgemini enhance its agent-driven business process services and offer the same to its existing customers.

For Gartner vice president analyst DD Mishra, WNS’s investments in intelligent automation, analytics, and agentic solutions including its TRAC analytics suite and Malkom knowledge management platform will complement Capgemini’s existing technology and consulting strengths.

Sharath Srinivasamurthy, research vice president at IDC, pointed to the acquisitions WNS has itself made in recent months, including Kipi.ai, Smart Cube, and OptiBuy to enhance its data, analytics, and procurement stack and extend its proficiency in business process operations, said.

Less about agentic tools and more about process operations expertise?

However, Rajesh Ranjan, managing partner at Everest Group, views the WNS acquisition as more of a strategic play rather than being focused on garnering more agentic tools or capabilities.

“The key driver behind the acquisition is less to do with the tools or software but rather the access to business process operations expertise that WNS brings to the table, a prerequisite to develop and deploy real-world AI solutions,” Ranjan said, adding that agentic AI is still in its infancy and are largely locked in pilot stages across enterprises. 

WNS’s 600 clients should expect to receive sales calls Capgemini once the deal closes, said IDC’s Srinivasamurthy: “This a huge opportunity for Capgemini to cross-sell technology services to them and position as a true technology driven end-to-end service provider.”

Changing dynamics for BPS

The WNS acquisition may trigger similar acquisitions in the BPS market as Capgemini rivals are also eying BPS vendors to increase their footprint and operations, as these vendors undergo operational transformation driven by the demand for AI, said Everest Group’s Ranjan.

More tech M&A news:

• CoreWeave acquires Core Scientific for $9B to power AI infrastructure push
• Arista Buys VeloCloud to reboot SD-WANs amid AI infrastructure shift
• HPE finalizes Juniper acquisition, forms new AI-centric networking unit
• Meta officially ‘acqui-hires’ Scale AI — will it draw regulator scrutiny?
• Netgear’s enterprise ambitions grow with SASE acquisition

Huawei’s AI research division has rejected claims that its Pangu Pro large language model copied elements from an Alibaba model, marking a significant escalation in China’s AI ecosystem as tech giants abandon their collaborative approach in favor of bitter public disputes.

The telecommunications giant’s Noah Ark Lab issued a denial Saturday, after an entity called HonestAGI published a technical analysis claiming Huawei’s Pangu Pro Mixture of Experts (MoE) model showed extraordinary correlation with Alibaba’s Qwen 2.5 14B model, reported Reuters. The analysis alleged the model was derived through “upcycling” rather than being trained from scratch.

The public confrontation represents a dramatic shift from China’s previous unity in challenging Western AI dominance. Industry analysts say the infighting could undermine China’s ability to present a consolidated front against US-led competitors like OpenAI, Google DeepMind, and Anthropic.

HonestAGI’s GitHub analysis claimed a correlation coefficient of 0.927 between the two models, using what it called “model fingerprinting” to identify patterns that supposedly revealed one model’s derivation from another.

Noah Ark Lab responded that its model was “not based on incremental training of other manufacturers’ models” and featured “key innovations in architecture design and technical features.” The company emphasized that Pangu Pro was the first large-scale model built entirely on Huawei’s Ascend chips, the report added.

“This dispute actually points to changing dynamics of the Chinese AI ecosystem’s speed of maturity and pressure to remain relevant and compete to foster innovation faster than the traditional collaborative approach, which we have seen,” said Neil Shah, VP for research and partner at Counterpoint Research.

Competition reaches fever pitch

The controversy escalated when an alleged Huawei insider posted detailed accusations about systematic model copying within the company. The anonymous whistleblower, claiming to be a Pangu team member, accused leadership of “cloning” both Alibaba’s Qwen and startup DeepSeek’s models while presenting them as original work.

“They had ‘cloned’ Qwen‑1.5 (110B), wrapped it in extra layers and changes — creating a pseudo‑135B ‘V2’ model,” the whistleblower wrote in the paper. “This rebranded model, with code still named ‘Qwen,’ was rolled out to clients.”

The allegations couldn’t be independently verified, and the whistleblower’s identity remains unknown.

The dispute comes as Chinese AI companies scramble after DeepSeek’s breakthrough R1 model release in January stunned Silicon Valley with its low-cost, high-performance approach. Alibaba rushed out its Qwen 2.5-Max model just weeks later, claiming superior performance across multiple benchmarks.

“What once was a state-aligned innovation drive is now being reshaped by market-led competition, where speed-to-scale often overrides transparency,” said Sanchit Vir Gogia, chief analyst and CEO at Greyhound Research.

Trust deficit emerges

This development has raised uncomfortable questions about credibility on all sides. Technical analysis of HonestAGI’s methodology revealed potential flaws, with researchers finding similar correlation patterns between unrelated models using the same fingerprinting technique. Critics also discovered fabricated references to non-existent research in HonestAGI’s paper.

“Also, this is a double-edged sword for China’s strategy to drive openness of the models where there could be potential derivations of the best models out there,” Shah added. “We have seen this happen with OpenAI-DeepSeek as well.”

The dispute highlights broader challenges facing the AI industry as development costs soar and model reuse becomes common. Vershita Srivastava, practice director at Everest Group, said the sector needs better tools to handle such controversies.

“The industry must adopt a comprehensive framework that includes advanced fingerprinting and watermarking techniques that can reliably trace model lineage,” Srivastava said.

The public nature of this dispute marks a turning point for China’s AI sector, which previously maintained at least a veneer of collaboration.

Gogia warned that the infighting could have lasting consequences beyond China’s borders. “This episode underscores that Chinese vendors are now operating under public scrutiny, and any erosion of trust could have lasting geopolitical and commercial consequences,” he said. The controversy may force enterprise buyers, especially in Southeast Asia and the Middle East, to reevaluate partnerships with Chinese AI providers.

The allegations have also exposed what Gogia calls the “growing inadequacy of conventional IP frameworks when applied to LLMs.” Parameter-level fingerprinting techniques offer promise but remain scientifically contested and legally untested.

Market divide

The feud highlights how China’s AI leaders target different markets while chasing the same prize. Alibaba’s Qwen family focuses on consumer applications with ChatGPT-like services and has been downloaded more than 40 million times since going open-source. Huawei’s Pangu models target enterprise clients in government, finance, and manufacturing.

Despite entering the large language model arena early with Pangu’s 2021 debut, Huawei has struggled to keep pace with rivals. The company open-sourced its Pangu Pro MoE models in June, hoping to boost adoption through free developer access.

The latest controversy underscores the urgent need for industry-wide standards. “Without agreed-upon definitions of derivation — particularly in models trained on shared corpora — vendors face an unclear compliance landscape,” Gogia noted. “This ambiguity creates space for weaponized accusations and erodes open-source collaboration.”

Srivastava emphasized the need for legal frameworks, saying it’s “imperative to establish clear definitions for derivative models and implement nuanced licensing frameworks that support responsible reuse, enforce appropriate attribution, and uphold usage restrictions.”

How this controversy resolves will set important precedents for intellectual property disputes in an increasingly competitive AI landscape. The success of nimble operations like DeepSeek has upended assumptions about what it takes to build cutting-edge AI, making bloated bureaucracies look more like liabilities than advantages.

Alibaba did not immediately respond to requests for comment.

More on China’s AI moves:

• China’s MiniMax launches M1: A reasoning model to rival GPT-4 at 0.5% the cost
• China’s Alibaba and Baidu step up global competition with new reasoning-focused AI models
• RedNote joins China’s open-source AI wave with the launch of dots.llm1
• DeepSeek accused of powering China’s military and mining US user data>

>

It's no exaggeration to call sudo the cornerstone of Linux privilege management. It's one of the first utilities we configure on fresh installs, and it's baked into almost every Linux distribution by default. Which is precisely why reports of two significant vulnerabilities in sudo ''CVE-2025-32462 and CVE-2025-32463''are grabbing headlines and raising red flags. These are local privilege escalation flaws, and if they're exploited, an attacker could jump from a non-privileged user account straight into the shoes of the almighty root user.

Ingram Micro is facing a major cybersecurity crisis as a ransomware attack has triggered a multi-day IT outage, disrupting services for customers and partners across the globe. The outage, which reportedly began on July 3, has impacted several of the company’s core platforms and left it unable to process or ship orders.

Days after the incident occurred, on July 6, the global IT distribution giant officially confirmed detecting a ransomware attack. “Promptly after learning of the issue, the company took steps to secure the relevant environment, including proactively taking certain systems offline and implementing other mitigation measures,” the company said in a statement.

Once upon a time, signing into sites and apps was simple.

You remember those days, right? (They really weren’t that long ago, though by tech standards, it’s been roughly seven centuries.) All you’d do is remember a single username and password — or maybe put it on a Post-it and stick it to the bottom of your 11″ oatmeal-gray 7,000-lb. monitor monster, if you were really feeling fancy — and that’s it: You’d be ready to rush into whatever site or service you wanted, whenever the need arose.

Now, it’s a whole other story. If you’re following best practices, you’ve got unique, complex alphanumerical passwords for every single site and service you visit — managed by a password manager and supplemented by two-factor authentication. And if that isn’t enough, you’re increasingly being prompted to drop all of those elements and instead rely on a newer and even more mystifying method of authentication called a passkey.

Whether you’re a gadget-loving technophile or a perpetually befuddled technophobe — and whether you’re an individual tech user or part of a broader corporate organization — the one consistent reality about passkeys is that they’re confusing as all get-out. Their aim may be to simplify security around sign-ins, but in actuality, they create all sorts of uncertainty and unanswered questions.

Think of this as your one-stop spot to find those elusive answers.

Time to dive deep into passkeys and explore all the pressing questions about what they are, how they work, and how you can put ’em to proper use — without putting yourself in harm’s way.

First: What are passkeys, anyway?

Let’s start at the beginning: Passkeys are a relatively recent security feature that let you log in to an account simply by authenticating on a device with your fingerprint or face scan — or, in some cases, another screen lock mechanism (e.g., the PIN or passcode you put into your device when first firing it up).

In a sense, it’s kind of like two-factor authentication — only instead of typing in a traditional password and then verifying it’s you as a second step, you’re basically just jumping right to that second step with the knowledge that such action shows you’ve already unlocked an approved device and demonstrated your identity.

So how is that better than a password, in terms of security?

The idea is that passwords are inherently vulnerable, since they’re text-based codes that you type in or store somewhere and thus that someone else could potentially access or figure out (or find in one of the endless series of breaches we hear about these days).

With a passkey, that risky variable is eliminated. Instead, you’re signing in solely based on the fact that you’ve already unlocked your phone or computer — ideally using some manner of biometric authentication but at the very least using a PIN or passcode there — and thus have already proven who you are. And you set up a different passkey for each site or service, eliminating the possibility of reused credentials.

Plus, you personally have that device in front of you, which means a hacker couldn’t crack the code and pretend to be you without physically taking your device and being able to get past its lock screen.

That also means the long-standing issue of phishing — where someone tricks you into sharing your sign-in credentials so they can steal ’em — isn’t really even possible anymore (unless you’re tricked into skipping the passkey entirely and entering a traditional password somewhere along the way). And it means you’re no longer going through a cumbersome multistep process every time you need to sign into something, too, since passkeys streamline those steps and take the burden off of your shoulders.

How are passkeys even stored? Couldn’t someone still steal them?

On a technical level, the bits and bytes that make up a passkey are encrypted with public key cryptography — a fancy way of saying they rely on a pair of keys, one that’s public and one that’s stored privately on your local device — which makes them exceptionally difficult to crack or plunder.

That’s in large part because of the way the private key piece of the puzzle works: In short, the site you’re signing into never sees your private key and only receives confirmation that it’s present and valid. The key itself remains on your device, with encryption keeping it unreadable until the moment you authenticate. The actual passkey data is never transferred during the login, and there’s no real mechanism to even copy and paste it anywhere, like you would with a password, so the potential for a hacker to exploit it is pretty darn slim.

The one extra wrinkle is that for most people and purposes, the underlying (and encrypted) passkey data is synced to a service that’s connected to a secure account you own and thus can use to sign back in and restore the passkey on a different device. That’s the case with the Google Password Manager system associated with Android, with the iCloud Keychain system associated with iOS, and with most third-party password managers such as 1Password and Bitwarden, too.

But the version of the passkey stored in any such service is securely wrapped and not in any raw, readable, or exportable form. It’s only when the data is on your authenticated device that decryption occurs (locally, on the device) and the signing operation is able to take place — with your device’s secure hardware elements and your on-device authentication serving as key elements that couldn’t be replicated in any cloud environment.

As with any security system, one can’t say it’s 100% foolproof or impossible to be compromised. But, again, with all the layers in place and the reliance on local on-device mechanisms, the odds of any hack taking place seem fairly small — certainly much smaller than they’d be with a more conventional password or even password-plus-two-factor-authentication approach and the added points of vulnerability those situations present.

What about two-factor authentication, then? Does that still exist?

Two-factor authentication is absolutely still advisable in any traditional sign-in scenario, but with a passkey, nope: It’s not needed — since that first step (the password) is no longer relevant and the second factor (the passkey) is already built in and present.

If I lose the device where a passkey is stored, couldn’t someone else then use it?

An excellent question indeed. Since the device is already protected by a lock screen — which requires your authentication to get past — no one else should be able to get into the device at all, let alone get to a point where they’d be authenticating as you a second time and signing into something with your passkey.

And, of course, if you ever do lose a device, you’d be well-advised to tap into systems for remotely resetting it as soon as possible to erase all stored data and essentially eliminate any (even mostly theoretical) risk.

But if I lose the device — or even just reset it, or move into a new device — wouldn’t I then lose access to the passkeys stored on it?

It’s possible — and that’s where passkeys can get particularly perplexing.

Remember: In most situations, the underlying data is stored securely in a service that handles the passkey creation — Google Password Manager, iCloud Keychain, or any number of third-party password managers. That data isn’t usable or accessible in those places, but it is available for syncing to a secured device once you’re signed in and authenticated.

That means if you ever change devices for any reason, you can simply sign back in to the appropriate service and access your passkeys as needed in that new environment. Most services also allow you to create and manage multiple passkeys across multiple devices — as is the case with Google, for instance, via its universal Google Account website. And, if all else fails, most services will still allow you to sign in with your traditional password as a backup.

That aside, you can often opt to have a passkey stored on a physical security key (cue the confusion!), which is a USB or Bluetooth stick like the ones made by Yubico and Google. In those instances, the key is limited to that one single apparatus and can be used anywhere it’s connected, but if you lose it, it’s lost — so you’d want to be extra-cautious and aware of the risks (as well as extra-cognizant of any available backup methods) if you opt to go that route.

Speaking of options, can I have multiple passkeys for a single site?

Generally speaking, you can! It all depends on the specific device or service you’re using to create and store your passkeys, but with your Google account, for instance, you can create as many passkeys as you want across multiple secure devices so you always have options available.

Google allows you to create and manage multiple passkeys so you have plenty of ways to sign into an account.

JR Raphael / Foundry

All right — so where exactly can I use a passkey?

This is another area of complication: It’s a bit of a Wild West out there as far as passkey support is concerned right now, and there’s no great way to know if a service does — or doesn’t — let you create and use a passkey without just digging through its settings or waiting to see if it offers up the opportunity.

That being said, more and more professional-oriented apps and services are starting to add passkey support, and many of the common business-software contenders are already on board. You can create and use passkeys with apps by Apple, Google, Microsoft, Adobe, and HubSpot, for instance. Docusign, Notion, Stripe, LinkedIn, and Zoho are among the other companies also offering support.

It’s almost certainly not a comprehensive or up-to-the-minute database, but a crowdsourced site called Passkeys.directory has a helpful list of places where passkeys are presently available.

How do I even create a passkey in the first place?

Alas, there’s no simple, consistent process — as it really just depends on the specific site or service.

But generally speaking, if something supports passkeys in the first place, it’ll either automatically prompt you to create one as you’re signing in or encourage you to make your way into its security or sign-in settings to find the option to create a passkey there.

For a smattering of specific examples, here are the passkey-creating instructions for:

• Google
• Microsoft
• Apple
• Adobe
• HubSpot
• Notion

Got it. Once I have one, then, how do I actually use it?

My, you’re full of astute questions, aren’t you?

Again, the answer here varies somewhat depending on the specific site or service — as it’s up to each individual entity to determine how, exactly, its sign-in setup works. (Sensing a theme here yet?)

In general, though, once you’ve set up a passkey, you’ll either see an option to use it as a part of the standard sign-in process or see a confirmation automatically pop up confirming its presence at some point along the way.

Signing in with a passkey is typically just a matter of clicking a button and confirming your identity.

JR Raphael / Foundry

Is this all the same if I’m using an enterprise or company-connected account?

Mostly — and maybe. If your account is part of a company-associated team, there could be certain restrictions in place as to how and when you can put passkeys to use. If something isn’t working in the way you’d expect, you may need to check with your organization’s IT department or administrator to see what options are available and if any special permissions need to be granted.

In an enterprise environment, you may run into even more requirements about what specific sorts of apps or devices can be used to store your passkeys, especially if your organization is relying on a single-site sign-on (SSO) solution such as Microsoft Entra or Google’s SSO setup. Your company may require you to use a physical key, for instance, or a specific app such as Microsoft Authenticator.

But that aside, the actual setup and sign-in process for passkeys in enterprise and/or SSO environments shouldn’t be any different from setting up and signing in with a passkey in any other scenario.

Is it possible to say ‘passkey’ 10 times fast without slurring?

If you put your mind to it, you can accomplish anything. I believe in you! (But please, for the sake of your professional future, limit your practicing to after-work hours.)

Does anyone ever request a passkey and accidentally get a pasty instead?

If only, my friend. If only.

In the latest episode of First Person we meet Daniel Avancini, an academic turned entrepreneur, analyst and business person turned coder. He tells us about how he doesn’t always know his final destination, but he understands the direction in which he wishes to travel and makes decisions so he heads that way. How he hedged (in his parlance) by keeping one foot in academia and one in corporate life.

Most of all, Daniel has great advice for those starting out who are challenged by the impact of AI on the future of work: understand your passion and what you are great at — and add value by doing things that AI can’t do. Namely build relationships and generate insights in order to devise winning strategies. You can watch the interview here, listen to it here, or watch it in the box below:

First Person Meets… Daniel Avancini: Stay curious

“I’m a very curious person,” says Daniel Avancini. “I always loved to really understand deeply different subjects.”

He’s not lying. Daniel is an academic-turned-entrepreneur, an analyst and business person who shifted into writing code. When we met recently to record our episode of First Person, he told us that he doesn’t always know his final destination, but he understands the direction he wants to go — and makes decisions that take him that way. In our chat, he explains how he hedged (in his parlance) by keeping one foot in academia and another in corporate life. And from this comes wisdom. (See also: Where AI IT skills are needed most.)

AI plus human insights

“It’s a hard, hard time to start because of AI,” says Daniel. “You really need to understand what makes you different from everyone else. You can’t be just one more person because you could be replaced by AI as much as by another person. Understand what are your qualities, what you’re especially good at, and use that as a lever.”

It’s sound advice, but easy to say from the vantage point of a successful established career. I asked Daniel for more context.

“If you like to write a lot, can you use that to be a better IT professional? Can you use those skills to build better sales pitches? I don’t know, but you have to understand how what do you connects with the organization’s goal and makes you different from everyone else,” says Daniel.

If AI can do it, it’s going to do it. That might mean letting go of skills and tactics at which you are good to focus on where you can add value. It requires a human to generate insights from data, to devise strategies; that’s why organizations need the right people to be successful. (It’s something that matters to Daniel as a founder and CEO of an organization in the services industry.)

“What makes me proud is the team. Our leadership team started with us when they were really young, and now they lead projects with major corporations. To succeed we had to build a culture where people grow and learn a lot.”

From a business perspective, this is a smart hedge against AI. Daniel believes he has the right people, they’re enthusiastic, and they’re pulling in the right direction because they like what they do and who they work with. Supported by judicious use of AI tools and data, this might be what the future of the knowledge industry looks like. The question is: how do you become part of that future?

How to start a career in the AI age

“It’s a very challenging time for everyone, especially people that are at university right now,” says Daniel, who has a positive spin on the impact of AI. “There will be a lot of work for most people.”

But those people will have to be flexible and adapt. “There were magazines, then there were digital magazines. Then there’s blogging, then there’s no blogging. Then there’s social media.”

“Technology changes, but the human aspiration — what people like, what people do, what people consume — doesn’t change that quickly. Focus on those things, and see how AI or technology in general will help you get there — and adapt. I don’t want to write a 50-page report every week, I’ll leave AI to do that. I want to do the analysis,” says Daniel. “I want the insights. Process insights and think about actions, don’t just do the reports.” (See also: How to train your staff for AI.)

A significant number of workplace managers are using generative AI (genAI) tools — particularly OpenAI’s ChatGPT, Microsoft Copilot, and Google Gemini — to make critical personnel decisions, including who gets promoted, who gets a raise and who gets fired, a new survey found.

The online survey by Resume Builder was conducted in late June and included 1,342 US managers; it showed 60% of them now use genAI tools to make critical decisions about their direct reports. Among those managers, 78% use the technology to determine raises, 77% for promotions, 66% for layoffs, and 64% for terminations, with more than one in five frequently allowing genAI to make final decisions without human input.

Those surveyed by Resume Builder needed a college degree, had to be over 25, work in management, and work at a company with 12 or more employees.

About 65% of managers said they use genAI tools at work, and among them, nearly all (94%) use them to make decisions about the people who report to them. Nearly half of managers surveyed said they use genAI all the time or often for several workplace tasks.

Despite that growing use, two-thirds of managers lack genAI training, and nearly half have been asked whether genAI could replace their teams, the survey found.

Resume Builder

About 46% of respondents using genAI in people management said they were tasked with evaluating whether the technology could replace a position. Among those managers, 57% determined it could — and 43% followed through and replaced the human position with genAI, according to Resume Builder.

Employers and job seekers are increasingly using genAI to streamline tasks like candidate short-listing and resume writing, and data shows it boosts success in landing jobs or finding the right hire. For overworked human resources and hiring managers, genAI can create a short list of potential candidates in seconds — and automate much of the onboarding process.

On the downside, genAI can sometimes overlook qualified candidates due to biased or narrow criteria.

Another recent study by TestGorilla revealed one in five US and UK employers now use genAI tools for initial candidate interviews, making genAI-based hiring mainstream.

Seven in 10 of employers use genAI in hiring, but only 38% seek AI-specific skills — that’s down from 52% last year — as they now value human talents such as critical thinking and communication. Fifty-seven percent of US employers have dropped college degree requirements; 74% use skills tests, according to TestGorilla.

When managers surveyed by Resume Builder were asked which tool they rely on most, ChatGPT took the top spot (53%), Microsoft’s Copilot was second with (29%), while 16% said they mostly use Google’s Gemini. Just 3% said they primarily use a different genAI tool.

Managers use genAI to manage teams in a variety of ways. Nearly all (97%) use it to create training materials, 94% to build employee development plans, 91% to assess performance, and 88% to draft performance improvement plans (PIPs), Resume Builder found. Among managers who use AI to help manage their teams, fully 71% express confidence in its ability to make fair and unbiased decisions about employees.

More than a fifth of the managers allow genAI to make decisions without human input either all the time (5%) or often (16%), while another 24% sometimes do. However, nearly all said they are willing to step in if they disagree with an AI-driven recommendation.

Even so, only 32% of those using the technology to manage people said they’ve received formal training on ethically using it, while 43% have received informal guidance. And 24% said they’ve received no training at all.

Stacie Haller, chief career advisor at Resume Builder, said risks arise when managers rely on genAI to make decisions without proper training. While it can aid decision-making, genAi lacks empathy and context. Its outputs also reflect potentially flawed data, so ethical use is key to avoiding liability and preserving trust, according to Haller.

“It’s essential not to lose the ‘people’ in people management,” she said. “Organizations have a responsibility to implement AI ethically to avoid legal liability, protect their culture, and maintain trust among employees.”

Haller said companies encourage managers to use genAI to improve efficiency, enable faster decision-making, reduce overhead, and support data-driven insights that enhance productivity and scalability. But for it to be truly effective in people management, it must be implemented thoughtfully, used responsibly, and always paired with human oversight.

“Organizations must provide proper training and clear guidelines around AI, or they risk unfair decisions and erosion of employee trust,” she said.

This secret for agents

Despite the hype, IT leaders tell us that there’s an approaching reset of agentic AI expectations. We recently reported that said reset may be underway, and now CIOs can get down to serious AI integration and production-grade implementations. We said that CIOs are looking to use agentic AI to execute tasks and orchestrate workflows going deep into enterprise processes, such as CRM, supply chain, enterprise resource planning, HR, finance, and more. 

This prompted readers of CIO.com to ask Smart Answers a more general question: how can they use agentic AI to drive positive outcomes for their organizations? According to our generative AI chatbot – fueled by only our trusted human journalism – the answer is to fundamentally change the way an organization operates.  

Organizations should automate processes and decision making. Empower systems to act independently, execute tasks, and make decisions with minimal human intervention. Augment human capabilities across functions including sales, customer service, HR, and IT.  

Simple, really. 

Find out: How can agentic AI drive strategic business outcomes for my organization? 

Will AI take your job?

As more companies cite AI as a main driver for layoffs, IT pros are left to wonder whether career anxieties are being realized, or the industry is simply adjusting to another new paradigm. This week we reported that AI is beginning to reshape the IT job landscape as layoffs rise. 

Unsurprisingly our readers had one question: will it affect me? Smart Answers has insights. 

Midlevel IT support, QA testing, and some software engineering jobs are seeing increased automation which means reduction in some roles. But there is good news: although companies are reducing legacy roles, they are also creating new positions focused on AI augmentation. 

Strap in. 

Find out: Which IT roles are most vulnerable to AI replacement?  

Cost of cloud

As these AI strategies and tactics mature, CIOs are rethinking their commitment to public cloud. This week we reported that concerns about cost and data privacy mean IT leaders increasingly see private cloud or on-prem as the better alternative for AI, once workloads stabilize and experimentation is done. 

This caused our CIO readers to ask why it is expensive to run AI on public cloud? Smart Answers points out that electricity costs, crucial for AI infrastructure, account for 40-60% of total operational expenses and may be somewhat to blame. It also points out that 40% of cloud budgets are wasted due to preventable mistakes and inefficient processes. 

Find out: How is AI impacting cloud infrastructure spending?  

About Smart Answers 

Smart Answers is an AI-based chatbot tool designed to help you discover content, answer questions, and go deep on the topics that matter to you. Each week we send you the three most popular questions asked by our readers, and the answers Smart Answers provides. 

Developed in partnership with Miso.ai, Smart Answers draws only on editorial content from our network of trusted media brands—CIO, Computerworld, CSO, InfoWorld, and Network World—and was trained on questions that a savvy enterprise IT audience would ask. The result is a fast, efficient way for you to get more value from our content. 

OpenAI has again confirmed that it will unify multiple models into one and create GPT-5, which is expected to ship sometime in the summer. [...]

Notepad now lets you use markdown text formatting on Windows 11, which means you can write in Notepad just like you could in WordPad. [...]

OpenAI's "Study together" mode has been spotted in the wild, and it could help students prepare for exams directly from ChatGPT. [...]

An ongoing outage at IT giant Ingram Micro is caused by a SafePay ransomware attack that led to the shutdown of internal systems, BleepingComputer has learned. [...]

**V červenci začne testování nové platformy pro antiviry pro Windows 11. **Microsoft chce, aby antiviry mohly plnohodnotně fungovat v uživatelském režimu. **Změní se také podoba chybové obrazovky, která se ukáže při pádu systému.

Google says Veo 3, which is the company's state-of-the-art video generator, is now shipping to everyone using the Gemini app with a $20 subscription. [...]

US President Donald Trump today signed what he called his “One Big Beautiful Bill” during Fourth of July celebrations at the White House, after it squeaked through the House of Representatives Thursday afternoon in a 218 – 214 vote.

But the bill was missing what had been one of its most contentious clauses, at least for the tech industry: a 10 year ban on AI regulation by individual states. The Senate almost unanimously voted to remove that section on Tuesday.

However, noted Scott Bickley, advisory fellow at Info-Tech Research Group, “H.R. 1 [the bill’s official designation] has many provisions that could fundamentally redefine the strategic environment for the enterprise.”

And despite the removal of the AI regulation ban, Bickley said, “it does signal that Washington is seriously considering a national AI framework. Tech leaders investing in genAI today should plan for a regulatory layer tomorrow, which will likely focus on explainability, auditability, and training data integrity.”

Permanent R&D and capital expensing provisions could turn the tax code into a “strategic lever,” he noted. “CIOs and CTOs now have a clear financial incentive to anchor AI training, cloud deployment, and cybersecurity tooling on US soil. For organizations with global architecture, this could reshape their location strategies around data, compute, and compliance.”

In addition, defense allocations for cyber-resilient supply chains, domestic manufacturing, and AI-adjacent technologies could give IT ”a rare but crucial chance to renegotiate vendor SLAs around security baselines,” he said.

On the minus side, he pointed out that loan caps for graduate programs and increased immigration fees could affect talent pipelines, especially for cybersecurity and AI, creating challenges for enterprises whose staffing needs are accelerating.

And while the Department of Energy got a $150 million appropriation to partner with industry sectors within the US to “curate the scientific data of the Department of Energy across the National Laboratory complex,” to make it usable by artificial intelligence and machine learning models, and to use the AI to develop microelectronics and new efficient energy technologies, the bill also slashed other energy spending and eliminated tax credits for environmental initiatives such as clean energy.

“Ultimately, it looks like H.R. 1 will reward localized innovation, incentivize tech-driven capital investment, and foreshadows a coming wave of AI oversight, all while seemingly leaving CIOs in the public sector and ESG-driven organizations to self-fund modernization efforts,” Bickley said.